Malware and exploit campaign detection system and method

ABSTRACT

A malware and exploit campaign detection system and method are provided that cannot be detected by the malware or exploit campaign. The system may provide threat feed data to the vendors that produce in-line network security and end point protection (anti virus) technologies. The system may also be used as a testing platform for 3rd party products. Due to the massive footprint of the system&#39;s cloud infrastructure and disparate network connections and geo-location obfuscation techniques, NSS can locate and monitor malware across the globe and provide detailed threat analysis for each specific region, as they often support and host different malware/cybercrime campaigns.

PRIORITY CLAIMS/RELATED APPLICATIONS

This application is a continuation of and claims priority under 35 USC120 to U.S. patent application Ser. No. 14/482,696 filed Sep. 10, 2014and entitled “MALWARE AND EXPLOIT CAMPAIGN DETECTION SYSTEM AND METHOD”,and U.S. patent application Ser. No. 15/346,358 filed Nov. 8, 2016entitled “MALWARE AND EXPLOIT CAMPAIGN DETECTION SYSTEM AND METHOD”,which in turn claims the benefit under 35 USC 119(e) and priority under35 USC 120 to U.S. Provisional Patent Application Ser. No. 61/876,704filed Sep. 11, 2013 and entitled “Malware And Exploit Campaign DetectionSystem And Method”, the entirety of which is incorporated herein byreference.

BACKGROUND

Intrinsically modern malware and exploit campaigns are growing insophistication related to obfuscation, deployment, and execution in aneffort to avoid detection and analysis by security researchers, andmodern security systems and software. Anti-virus (AV) systems, such asendpoint protection platforms (EPPs), as well as breach detectionservices (BDS) employ virtual “sandboxes” or “honey nets” that operatein a cloud (virtual) network construct. These sandboxes attempt toidentify malware and virus programs by incubating the suspect softwareuntil such time as the malware executes and it's activities can bemonitored and analyzed. These systems often fail to identify previouslyunknown malware due to the evolution within malware development thatallows the malware to recognize when it is sitting in such asystem/trap. Modern malware can be considered to be “cognitive” andcompletely aware that it is currently being incubated within a trap(monitored system), and will continue to hibernate and therefore willnot present itself as malicious software. Thus the sandbox system willfail to identify the suspect file as being malicious, and therefore willallow all similar programs to bypass future testing.

BRIEF SUMMARY

The system and method for malware and exploit campaign detection (thatmay be known as “BaitNET”) is different than known systems since thesystem has technology that prevents detection of the system by themalware/exploit. Unlike other technologies, BaitNET cannot be detectedby modern malware/exploits and thus the operations/actions of themalware/exploits can be collected and analyzed without restriction. Thecollected malware/exploit is replayed/tested against various operatingsystem and application configurations within BaitNet's private cloudinfrastructure to determine what other system footprints are susceptibleto the malware campaign. BaitNet is able to successfully incubate,track, and inventory the malware/exploit. Due to the transparency ofBaitNET to the malware/exploit, BaitNET is able to perform live analysisthat that can track threat actors, identify where they are trulylocated, and what other similar malware/exploit campaigns they have beenlaunching and against whom. All of this is done while BaitNET producesthreat forecasts that indicate viable and potential targets of thethreat actors. BaitNET can also be used to measure and test theeffectiveness of commercially available EPPs, AVs, in-line networksecurity appliances, and BDS systems. This is done by injectingmalware/exploits into BaitNET's construct, where these commercialproducts have already been installed, and then monitoring the deltabetween what BaitNET knows was injected, and detected itself, and whatthe commercial product claims to have detected. E.g., BaitNET is anadvancement in technology so far beyond modern AV, EPP, and BDS that itis used to test the efficacy of these commercial products.

In one implementation, BaitNET is the conglomerate of a number ofsoftware applications, processes, and innovations as outlined hereinwhich afford BaitNET the ability to shim into the operating system andthe virtual machine architecture (both guest and host) enabling BaitNETto obfuscate the fact that the machine itself is a virtual/unmannedcomputer. The system utilizes a multitude of virtual private networks(VPNs) allowing a near-unlimited number of unique Internet IP addressesfrom all across the world to be used. These disparate IP addressesafford two primary advantages to BaitNET. One, in order to forcere-infection, as many malware system will not “drop” (deploy) malware tothe same IP address more than once, it is necessary to have BaitNETobfuscate its Internet presence. Two, many malware campaigns limit theirtargets by geo-location, which is often tracked via IP Address. E.g.,Malware-infected servers often limit themselves to only infecting one(1) computer from any given masked IP address, and may limit the countryof origin of the IP addresses that they will infect. BaitNET utilizesVPNs throughout the world to mimic dispersed geo-location and map outmalware campaigns in different regions. Other techniques, while notproprietary to BaitNET, may also be used to emulate potential targetqualification data points such as varying the language pack and keyboardlanguage configuration on the host operating system.

After finding new malware, done by crawling URLs provided throughvarious channels, BaitNET records the attack vector, payload, criticalinformation on exploitation, and other relevant metadata and then“replays” this attack against thousands of other hosts on the BaitNETnetwork. “Replay” is achieved through the use of BaitNET's proxyservices, as outlined later in this document, and may be done against asingular image when testing the efficacy of a 3^(rd) party securitysystem or against limitless iterations of operating systems, applicationconfigurations, and versions of software tools when mapping theeffectiveness of the exploit/malware. Each of the hosts used during thereplay has a different combination of web browser, suite of installedapplications, various program and operating system patch levels,installed language packages, etc. The representation of systems arenearly all possible combinations, Windows and OS X, from 2005 to presentday. BaitNET is also capable of emulating mobile device operatingsystems, and uses the same technology to detect and inventorymalware/exploits. All of this allows researchers to understand the truetarget landscape/scope for the malware/exploit, and the malware/exploitcan be tested against anti virus (AV) and in-line security systems suchas intrusion prevention systems (IPS), next generation firewalls (NGFs),and breach detection systems (BDS.)

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows the high-level architecture of the major components ofBaitNET.

FIGS. 2A-2D illustrate the process control and internal operations ofthe BaitNet Control Process and its interoperability with the Capture,Replay, and Proxy processes.

FIGS. 3-6 are examples of the user interface of the BaitNET system ofFIG. 1.

DETAILED DESCRIPTION OF ONE OR MORE EMBODIMENTS AND IMPLEMENTATIONS OFTHE SYSTEM AND METHOD

BiatNET is designed to seek-out, detect, itemize, and replay/retestactive malware campaigns and new exploits. BaitNET is an multi-leveledapplication operating within the kernel and application-process layersof the operating system, with hooks and function capabilities that makeit stand-out from other technologies utilized to detect malware. It ismost commonly used to test these other products, e.g. antivirusapplications (aka “Enterprise Endpoint Protection”) and therefore hasbeen shown to be far more effective at detecting such malware. BaitNETsupports various types of OSes as a threat forecast system. BaitNET'sVirtual Machines (VMs) can simulate servers, workstations, even mobilecomputing devices such as smartphones and tablets.

As shown in FIG. 1, the system utilizes three arrays of servers andnetworking hardware known as “stacks.” Each stack is any number ofphysical servers that host virtual machines (“guests”.) The exact numberof servers and guests is based on the scope and scale of the testing andresearch being performed. Typically, within “Live Testing” this will bemany tens of thousands of guests. FIG. 1 illustrates theinteroperation/communication of the various stacks of servers and guestswith the infrastructure support servers, as well as which componentshave Internet connectivity.

Specifically, the system may be implemented using the computingresources shown in FIG. 1 including the stacks. As shown in FIG. 1, thesystem may be implemented with a capture stack, a replay stack, a proxystack. The system may also have a master hypervisor controller thatcontrols each of the stacks as well as one or more SQL servers (forstorage of data and the like) and one or more transfer servers. As shownin FIG. 1, the capture stack and the proxy stack have access to acomputer network, such as the Internet. The capture stack implements thecapture process described below, the replay stack implements the replayprocess described below and the proxy stack implements the proxy processdescribed below. Each of the stacks may be implemented using one or morecomputing resources, such as one or more cloud computing resources orone or more server computer resources. Each of the one or more computingresources may have a processor and memory and a plurality of lines ofcomputer code that may be stored in the memory and executed by theprocessor to implement the capture, replay and proxy processes describedbelow. Each of the stacks also may be implemented as one or more virtualmachines that are controlled by the hypervisor controller.

FIGS. 2A-2D illustrate the process control and internal operations ofthe BaitNet Control Process (implemented by the master hypervisorcontroller) and its interoperability with the Capture, Replay, and Proxyprocesses. The controller process and part of the replay process areshown in FIG. 2A with the replay process also being shown in FIGS. 2Band 2C as shown by the reference designators (A and E) that show howFIGS. 2A, 2B and 2C connect to each other to show the replay process.FIGS. 2B and 2C also show the details of the capture process as shown bythe reference designator D that shows how FIGS. 2B and 2C connect toeach other to show the capture process. FIGS. 2B and 2C also show theZeroDay process as shown by the reference designator B that shows howFIGS. 2B and 2C connect to each other to show the ZeroDay process. FIGS.2B and 2C also show the proxy process as shown by the referencedesignator C that shows how FIGS. 2B and 2C connect to each other toshow the proxy process. Finally, FIG. 2D shows the details of theObfuscation Engine with references F and G showing the interchangebetween the capture process and the Obfuscation Engine. Also illustratedare the interchanges with the Obfuscation Engine, Exploit Feed, andZeroDAY modules. FIGS. 2A-2C show an enumeration process as shown by thereference designators (I and H) that show how FIGS. 2A, 2B and 2Cconnect to each other to show the enumeration process.

The BaitNET system may be operated by NSS Labs (“NSS”). Using sourcesfrom around the globe, the BaitNET processes begin with the correlationand normalization of various feeds that NSS subscribes to forinformation regarding potentially malicious websites. This normalizeddata is presented to BaitNET's Capture Process and is queued as targetsfor each of the configured operating system variations that are assignedto series of testing. BaitNET, using the Capture Process, issues the URLto each of the thousands of systems, utilizing thousands of variationsin configurations, and each system in turn visits the URL usingdisparate VPN tunnels, a mechanism of the Obfuscation Engine withinBaitNET's Capture Process, from around the world to obfuscate their truegeographical location as well as to explore the geo-location filteringthat may be employed by the malicious URL. If successful, a visit to theURL will result in a “drop” of malicious code to the target workstation.BaitNET monitors the download of the malicious code; and records thenetwork traffic, creates a copy of the malicious code, and catalogs allchanges to the operating system made by the malicious code.Additionally, the Capture Process will record any and all outboundcommunications from the now infected/compromised workstation. Thisoutbound traffic will include any Command and Control (C&C)communications, often identifying the true threat actor, as well as anydata being exfiltrated from the now infected system. Examples of theuser interfaces of the system that show, for example, the data capturedduring the capture process are shown in FIGS. 3-6.

FIG. 3 is an output from the system which illustrates validated exploitsthat have been discovered by the BaitNET system. The capture date, e.g.the date and time the malware or exploit was downloaded, is shown alongwith the corresponding source URL (Universal Record Locator) which showsthe full path to the file on the infected/malicious website, the exactoperating system that was used on the guest (virtual) workstation thatthe malware/exploit executed upon, and the exact application that themalware/exploit targeted (needed to be successful.) In this example, thefirst exploit in the list uses Java version 6 update 27 on MicrosoftWindows 7 and was downloaded from a URL which was redirected (linked) ona google.com website. A user of the system can click any of these fieldsto drill-down into more detailed information. E.g., The “Source” sectionprovides IP addresses, packet capture data, geo-location information,etc.

FIG. 4 is output from the system which illustrates detailed informationon the “drop” or malicious file that was downloaded and has beenvalidated to be malware/exploit code. Again the pertinent date and timeis displayed, a unique filename is presented which was generated by thesystem when the malware/exploit was captured. This file contains themalicious content and can been downloaded in its archived (safe) versionfor inspection and reverse engineering. The hash value (MD5) of thearchived file is presented so that the end-user can validate the filefrom the repository has not been altered. The system will indicated, aspresented in this example, that the malware/exploit has been validated.Validation occurs when the BaitNET system utilizes the Proxy and ReplayProcesses to confirm infection and execution of the capturedmalware/exploit. The center section of the page reflects the URI wherethe file was collected from (This matches the data on FIG. 3) the typeof URI/attack used, the IP address of the server that hosted themalicious file, and the country of origin of the IP address (aka“geo-location.”) Further detail is presented on the operable targetplatform(s) that were successfully infected with the malicious content.

FIG. 5 is more detailed information from the system with regard tomalicious content (malware/exploit code) that was captured. Here theend-user can find the hash (MD5) of the malicious executables (files)along with the exact size of each file. This information can be used toupdate in-line security systems such as an IPS, NGFW, or even endpointproducts such as anti virus to now identify the hash values of the nowknown malicious content and block it from either being downloaded(in-line devices) or executed (end point products.)

FIG. 6 contained detailed information on the URI and network behavior ofthe malicious website when accessed by the guest systems inside ofBaitNET. The information provides an end-user with the network packetcapture (pcap) data that is relevant to understanding the attack vector.Provided are the full URI, protocol of the attack (in this case http v.1.1) the specific web browser used (Mozilla 5.0), the actual URI of thedrop (in this case a sever in with a .DE, Germany, domain), as well asinformation about the server such as the web server operating platform(in this case Apache 2.0.59 running on a UNIX operating system with Modand Open SSL.) This data can be used by end-users to write firewallrules as well as other rules within in-line systems such as IPS, IDS,WAF, and NGFW. The exact vector of the attack being provided; whichincludes hosting, transmission, and target configuration are vitalpieces of information that are uniquely provided by BaitNET.

The system that was successfully infected is now reset to its virginstate, thus preparing it to be reused for the next URL in the queue. Allthe data collected is parsed into two different databases (stored in theone or more SQL servers.) The first database, used for logging andintelligence, stores the attack vector, information on the system thatwas successfully infected; as well as all other metadata on themalicious URL, code, attack vector, C&C, and activity of the malware.The second database, the Replay Database, is now populated with the copyof the malicious code, the configuration information for the maliciousURL (metadata, configurations, code, deployment vectors, etc.) and isused during the Replay and Enumeration Processes.

The Replay Process is now queued using data from the Replay Database.During the Replay Process, systems matching the configuration of thehost that successfully was infected during the Capture Process areprepared for testing of the malicious code. To prepare the systems, allrecent versions of products being tested (in-line security devices toendpoint protection products/anti virus) are automatically configured.Copies of the workstation used during the Capture Process are configuredas Replay Hosts with the latest versions of any and all endpointprotection products being tested. In-line security products such asintrusion prevention systems and next generation firewalls stand in waiton the network between the Replay Hosts and the Replay Servers. Theworkstations visit an internal (LAN-based) URL that has been created byBaitNET as a perfect copy of the malicious URL that was validated duringthe Capture Process. As each copy of the workstation is presented theinternal URL, BaitNET once again monitors the workstation capturing allmetadata related to the malicious code. If the code is successful inreaching the workstation and then executing properly the endpointprotection product being tested has failed to identify and/or stop themalicious code. If, during the visit to the internal URL, the drop isprevented, thus malicious code is prevented from ever reaching theworkstation, then the in-line security product was successful inidentifying the exploit and worked as designed.

During the Replay Process, the effectiveness of the malicious code istested in a live environment. For example, all major makes and versionsof web browsers are tested to determine which are susceptible to theexploitation during a drive-by type attack. e.g., an attack thatexecutes within the browser and does not require the end-user tomanually execute the malicious code. Different versions of applicationsystems, language packs (localization data), base operating systemrevision, and even different architecture such as iOS or Android mobiledevices can be checked against the copy of the malicious URL and themalicious code itself.

During the replay process, data is recorded into the Replay Databaseidentifying which workstations were infected, how they were configured,and what in-line and endpoint protection products, if any, were beingtested. After product testing has concluded, the Replay Process isreused with the same attack code to test different iterations ofworkstation platforms. This data is also recorded by BaitNET and is usedin the Enumeration Process for Threat Forecasting, as it is a means toindex all variations of the applications and operating systems beingtargeted by that specific malicious code.

For Threat Forecasting, the Enumeration Process can be used to continueto check localization configurations and geolocation exit points on theInternet to determine the full scope of the attack vector, provideintelligence on the threat actor(s), and harvest as much viable metadataas possible. This process is key in enumerating the variousconfigurations of operating system, browser, applications, securityproducts, etc. that the malware can use to successfully execute itself.The collation of this intelligence allows modeling to be performed, aswell as direct risk assessments, so that consumers understand if theirsystems, networks, and tools are at risk—and what to do, if anything, toprotect them against active malware/exploit campaigns.

All data, to include network traffic captures (aka “Pcap”) are retainedin the databases and can be reused by the system at any time. Newworkstation configurations, to include mobile device configurations, canbe presented to the captured malicious URL for future testing. Alltested products can be retested to confirm that patches/updates suppliedby the vendor are working as designed, to outline exactly which systemsprovided by 3^(rd) parties are susceptible to the attack (“GoldImages”), and to validate attack data captured during the CaptureProcess.

During the Replay Process, a Proxy Process is generated and utilized.This proxy process facilitates the ability of BaitNET to performcontinual testing against the malicious URL that was collected duringthe Capture Process without the need of the original/actual maliciousURL. This is important due to the short lifespan of most malwarecampaigns, security features within the malware campaign to identify andprevent drops of malicious code to systems on the same network, and toobfuscate/protect the research and investigation into the malwarecampaign. The Proxy Process uses the original source code of themalicious website as recorded by the Capture Process which was fed bythe URLs from the Threat Feeds. The Proxy Process emulates the remoteserver, source code of the website, and will serve (hand-out) themalware in the same way that the original website did.

The Proxy Process is completely automated, and pulls all data from thedatabases crated during the Capture and Replay Processes. This includesthe formulation of remote parameters of the original malicious website,pulling and reassembling the archive of the original malicious website,unpacking the archive, and finally launching and managing thefully-functional copy of the malicious website.

The Enumeration process, much like the Replay Process, utilizes the datawithin the BaitNET suite of databases and utilizes the Proxy Process tovirtually revisit the malicious websites. Unlike the Replay Process,which uses the first viable combination of operating system and softwarewhich allowed the malware/exploit to execute properly and is used totest the efficacy of security products, the Enumeration Process has beendesigned to enumerate all possible variations of operating system andinstalled software across various platforms (computers, mobile devices,etc.) to determine all viable combinations that would allow themalware/exploit to execute properly. This data can been fed back intothe Replay Process whereby each valid iteration can be used to testother security products.

In one implementation, the entire BaitNET suite of processes may takeplace in parallel, currently utilizing four parallel threads that areresponsible for managing each of the aforementioned processes (Capture,Replay, and Proxy) along with their sub-processes such as theObfuscation Engine shown in FIG. 2D and modules covered within thisdocument such as ZeroDAY and are collectively controlled from theControl Process. Additionally monitoring of the virtual machines (VMs)and the setup and tear down (establishment and reverting) of the VMsalong with their guest operating system and application configurationstake place from within the Control Process.

Full control of the VM architecture is done through BaitNET's ControlProcess (implemented by the Master Hypervisor Controller in FIG. 1),which is modified to operate natively and replace the virtual machinetools for the specific hypervisor. e.g., BaitNET replaces VMWare'sVMWare Tools and completely controls the guest and host controls withinthe hypervisor. This control is automated and functions as a separatethread during the Control Process and works in parallel with theCapture, Replay, and Proxy processes. BaitNET can procure, configure,and operate VMs on demand, autonomously, and scale resources duringtesting.

Due, in part to the Control Process' replacement of the virtual machinetools normally used within the hypervisors, as well as it's integrationof those tools into the operating system itself by modifying systemlevel dynamic link libraries (DLLs) and other system or library calls,the hypervisor itself is now hidden from the malware. Additionalcloaking technologies that prevent detection of BaitNET are coveredherein within the model overviews.

As outlined herein, BaitNET is a system of custom developedapplications, application program interfaces (APIs), and kernel-levelmodification, such as the AI Module of the system, the ObfuscationModule of the system, the ZeroDAY module of the system and the captureprocess, for example which are applications. The applications for boththe hypervisor host and the guest functionality as well as the operatingsystems. BaitNET currently supports all versions of Microsoft Windowsoperating system, all Intel-based versions of OS X, iOS, and Android.One key feature for BaitNET is its ability to render the “VM DetectionSystem” (e.g. ability to discern a virtual machine from a physical/realmachine by malware) found in modern malware/exploits useless. BaitNETmodifies the hypervisor control system, replacing it's API, as well asproduces real-user-like random movements of the mouse and other UIdevices to trick malware into believing it is on a real host. Thisthwarts the ability of malware to detect a VM, which would normallyprevent it from deploying its payload as VMs are often used in antivirus systems to incubate suspected executable files. BaitNET is alsocapable of detecting and monitoring virtual machine/microvisor malware.This type of malware will launch virtual sessions or even full virtualmachines within the infected host, these machines are undetectable asare the malicious software running in them because other detectionsystems are only aware of the main operating system and instance of thesystem.

Using the system, the malware, or exploit, can be captured, identifiedand replayed through BaitNET's replay server and replay technologies(modules) against any number of other guests operating any variation ofapplication, patch-level, or operating system to determine the truetarget impact of the exploit. E.g., If the exploit or malware was firstdetected using Windows 2008, SP1, running Adobe XYZ-version, BaitNET canthen test the malware against all other variations of Windows operatingsystems, difference versions of Adobe products, etc. to identify whichconfigurations of systems are susceptible to the malicious software.

In one implementation, the BaitNET system is primarily written to workwithin VMware's ESXi, but originally was designed to work withMicrosoft's Hyper-V. Modifications can be made which would allow it torun on any hypervisor system, thus supporting multiple hypervisorscommunication channels. It does this seamlessly and smartly through thehypervisor module associated with BaitNET that replaces the nativehost-to-guest API, additionally BaitNET can be operated on Bare-metal,however performance will become an issue and this would not be asscalable. BaitNET can scale to an infinite number of VMs within a cloudconstruct as long as the hardware can support the additional guests.

BatiNET's functions are expanded and complimented through the use ofmodular components (Modules) described below in more detail, each ofwhich provides functionality used in threat forecasting and theevaluation of 3^(rd) party security product effectiveness as shown inFIG. 2.

ZeroDAY Module

This module is a state of the art plugin for BaitNET allowing it todetect any type of exploitation attack, and was developed to identify0day attacks, e.g., Exploits and malware that have yet to be categorizedor identified within the security community, often meaning there is nocurrently known defense to these attacks as the maintainers of thecommercial or OpenSource products being targeted are themselves unawareof the flaw being exploited. Capable of dissecting the attack andrecording the smallest components, uncovering how every intricate stepand security mitigation tactic was used to achieve the attack. Thismodule is based on unique knowledge that the owner of the BaitNET systemhas developed through various research projects. ZeroDAY is effectivewhen presented with the most complex and customized/never before seenmalware as used in advanced persistent threat (APT) attacks. The modulecan be set to detect and catalog the attack, or detect and block theattack. Unlike EMET, Microsoft's current security mitigation technology,which is easily bypassed, ZeroDAY utilizes the combined filtration ofkernel32, kernelbase and ntdll. The general capabilities of ZeroDay areoutlined herein.

Key features of ZeroDAY—

ZeroDAY may perform any or all of the following industry recognizedtasks for recognition and cataloging of exploits:

-   -   In-Memory ShellCode detection    -   Raw ShellCode dumping (raw output of shell code—to file)    -   Raw ShellCode disassembly (post analysis)    -   ShellCode emulation    -   Identify APIs used in the ShellCode    -   Log API parameter information:        -   a. Network        -   b. Memory        -   c. File        -   d. Process    -   ROP detection    -   ROP gadgets detection    -   ROP gadgets dumping with backward disassembly (module+function)    -   HeapSpray detection    -   NOP Sled detection    -   Null Page Allocation Detection

In general ZeroDAY can monitor and protect any application in user-land(ring-three e.g., “r3”), but can only monitor and not protect againstkernel-land (ring-zero e.g., “r0”)—exploits affecting the OS servicesdirectly, it will still be able to protect against kernel based exploitsbeing served through user-land and any other application that utilizesthis attack vector.

Additional Info

The system provides stack validation and monitoring that includes theprotection from direct access to Kernel32, KernelBase and NTDLL DLLsAPIs, unlike the current EMET 3.5, so the return oriented programming(ROP) is not protected against KernelBase dynamic API loading.

The system may also have a CODE/TEXT section permission change monitor.This monitor is a novel process/mechanism. This mechanism allows thedetection and monitoring of privilege escalation through a processwhereby the system monitors for code/text changes. This is possible dueto the way that ZeroDAY integrates into the kernel and ties directlyinto primary system sub processes.

A semi control-flow-transfer (CFT) checks is part of the system and allsystem calls (r3) will still tunnel back to the original one in thekernel (r0). Therefore, calls will be filtered through KiFastSystemCall[SystemCallStub] (triggered by interrupt vector int 0x2E)

Post-analysis by the system is important because of the followingreason(s):

Having in-hand samples, which are then automatically analyzed toidentify how the attack was carried out in-depth, and using which

gadgets, DLLs and so forth.

ZeroDAY was designed not only to detect and/or stop the attack, but alsoto

find information regarding post-attack. Which may include communicating

with a command and control (C&C) server, downloading of more malware andso on. It serves well to automate the detection, post-automated analysisof the attack and gathering in-depth information for data analysis(Briefs, Blog

posts, etc) which other individuals or companies do not have.

VM+SandBox Detection Avoidance and Circumvention Module

Almost all malware detects the presence of/if it is hosted by anoperating system managed as a virtual machine (VM.) aka “SandBox” andwill avoid execution and revealing their control-flow (CF) to bedynamically analyzed. This was developed to circumvent thisanti-detection capability in modern malware; it will detect whether thedropped malware is a result of an exploit or was simply the result oftypical drive-by's that attempt to avoid execution within a VM or aSandbox. There are multiple options for circumvention of theanti-detection technology within malware:

1) Direct in-memory patching based on signatures developed in the labusing advanced regular expressions and Boolean algebra

2) Hijacking the system calls made by the malware through a proxy stub,trampolining the original code with the new one and feeding the malwarethe wrong results tricking it to run as expected on a bare-metalmachine.

AI Module

This module is responsible in generating artificial human activity inthe VM. As some malware will check for the lack of mouse activity orkeyboard activity or even processes being spawned. The absence ofactivity from these human interface devices, along with the absence ofancillary processes and applications are indicative of a automatedmachine, and therefore a trap. The AI Module corrects this oversight inother incubation systems by injecting randomized mouse movements andusage, keyboard input to include realistic typing patterns, mistakesvariations in speed, etc. The AI Module also opens and closes ancillaryprocesses, such as chat software, email clients, etc. All producing reallife user behavior on the virtualized systems. The system may openemail, for example, check various items in the inbox, respond to email,or chat online with other systems and real users. Any program can beadded to the AI Module, to include sophisticated systems such ascomputer games, and office products where assets such as spreadsheets,presentations, and documents can be created. All of this produces a veryrealistic usage of the machine.

The AI module and Sandbox modules may be part of the system (like theZeroDay module) in FIGS. 1 and 2, but is not shown in these figures.

VM Templates

All the VM images being used across the stacks are created from custommade templates, which use the underpinning of the Control Process, whichintegrates the virtual machine controls into the base operating system,thus hiding the Guest OSes and appearing like a normal bare-metalmachine. This includes options such as:

Getting the PTR location

Setting the PTR location

Direct Exec

NT Reloc

Self Modification

Reloc

BT Segment

BT Privilege

BT Mem Space

BT IN Port

BT Out Port

1. A malware and exploit campaign detection system, comprising: aplurality of computer systems; a capture stack that is configured toissue a uniform resource locator to each computer system to download apiece of malicious code; a replay stack that is configured to test thepiece of malicious code in a live environment and generate data aboutthe replay of the piece of malicious code; a proxy stack that isconfigured to perform testing of the piece of malicious code withoutaccessing the uniform resource locator; and a master hypervisorcontroller that controls the capture stack, the replay stack and theproxy stack.
 2. The system of claim 1, wherein the capture stack, thereplay stack and the proxy stack run in parallel.
 3. The system of claim1 further comprising a zero day module that identifies zero day attacks.4. The system of claim 1 further comprising SQL servers configured tostore data of the system.
 5. The system of claim 1 further comprising atransfer server.
 6. The system of claim 1, wherein the capture stack isconfigured to create a copy of the piece of malicious code and catalogsoperating system changes caused by the piece of malicious code.
 7. Thesystem of claim 1, wherein the capture stack is configured to capturecommunications with the plurality of computer systems.
 8. The system ofclaim 1, wherein each stack is one or more server computers.
 9. Thesystem of claim 8, wherein each stack has a virtual machine.
 10. Amalware and exploit campaign detection method, method comprising:executing a capturing process, wherein the capturing process issues auniform resource locator to each computer system to download a piece ofmalicious code; executing a replay process, wherein the reply processtests the piece of malicious code in a live environment and generatesdata about the replay of the piece of malicious code; executing aproxying process, the proxying process performs testing of the piece ofmalicious code without accessing the uniform resource locator; andcontrolling, using a master hypervisor controller, the capture process,the replay process and the proxy process.
 11. The method of claim 10further comprising executing the capture process, the replay process andthe proxy process in parallel.
 12. The method of claim 10 furthercomprising identifying, using a zero day module, zero day attacks. 13.The method of claim 10, wherein executing the capturing process furthercomprises creating a copy of the piece of malicious code and catalogingoperating system changes caused by the piece of malicious code.
 14. Themethod of claim 10, wherein executing the capturing process furthercomprises capturing communications with the plurality of computersystems.